[SECURITY AVISORY] curl: CVE-2025-5399: WebSocket endless loop

Tue, 03 Jun 2025 22:52:59 -0700 

WebSocket endless loop
======================

Project curl Security Advisory, June 4 2025 -
[Permalink](https://curl.se/docs/CVE-2025-5399.html)

VULNERABILITY
-------------

Due to a mistake in libcurl's WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.

There is no other way for the application to escape or exit this loop other
than killing the thread/process.

This might be used to DoS libcurl-using application.

INFO
----

The problem does not occur if "auto-pong" is disabled with the
`CURLWS_NOAUTOPONG` option.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-5399 to this issue.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.13.0 to and including 8.14.0
- Not affected versions: curl < 8.13.0 and >= 8.14.1
- Introduced-in: https://github.com/curl/curl/commit/3588df9478d7c270

libcurl is used by many applications, but not always advertised as such!

This bug is **not** considered a *C mistake*. It is not likely to have been
avoided had we not been using C.

This flaw does not affect the curl command line tool.

SOLUTION
------------

Starting in curl 8.14.1, this mistake is fixed.

- Fixed-in: https://github.com/curl/curl/commit/d1145df24de8f80e6b16

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 8.14.1

 B - Apply the patch to your local version

 C - Avoid using WebSocket

TIMELINE
--------

This issue was reported to the curl project on May 30, 2025. We contacted
distros@openwall on June 2, 2025.

curl 8.14.1 was released on June 4 2025 around 07:00 UTC, coordinated with the
publication of this advisory.

The curl security team is not aware of any active exploits using this
vulnerability.

CREDITS
-------

- Reported-by: z2_ on hackerone
- Patched-by: z2_ on hackerone

Thanks a lot!

--

 / daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to